Analysis Overview
SHA256
688e1a87b049676464e3aa5303d9a48f184da32c3fdfa0c092e1744153e761b0
Threat Level: Known bad
The file PO-2143224.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft WebBrowserPassView
Nirsoft
NirSoft MailPassView
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 11:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 11:03
Reported
2024-02-15 11:05
Platform
win7-20231215-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 1240 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 1240 set thread context of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 1240 set thread context of 596 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
"C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TQbZIZmgTPXQc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TQbZIZmgTPXQc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
"C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\tkjjgleykyvuktzpzkrzbz"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\dmobgepzygnhmintqvdtemdww"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogumhoztmofmxojxagqupryfegwa"
Network
| Country | Destination | Domain | Proto |
| CA | 198.27.121.194:2024 | tcp | |
| CA | 198.27.121.194:2024 | tcp | |
| CA | 198.27.121.194:2024 | tcp | |
| CA | 198.27.121.194:2024 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2372-1-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2372-0-0x0000000000A40000-0x0000000000B1E000-memory.dmp
memory/2372-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp
memory/2372-3-0x0000000000940000-0x0000000000952000-memory.dmp
memory/2372-4-0x0000000000950000-0x0000000000962000-memory.dmp
memory/2372-5-0x0000000005D40000-0x0000000005E00000-memory.dmp
memory/2372-6-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2372-7-0x0000000004D90000-0x0000000004DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp
| MD5 | 02a04098970db5786b54b04362e35bd2 |
| SHA1 | fcb766725770a0cf2515e7c2daf74bdc36c9f48f |
| SHA256 | 46b9bd30fbedb67f61097e7d86aa3942387c921c5c454adcb14a2d3e825fec8f |
| SHA512 | 2b268ce877062fa2c63cc0ea5fc780a0827dd63aca994f4540f1ff222227aca3b9c58dc638d34fdf870cc37ea5c8a62a35a862c8ba66b35a1102880ffc756131 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4GVVACIY4SO497J4JCM.temp
| MD5 | 8e332a2995a3b3e77b6a46a31a98bc45 |
| SHA1 | 50e0c61552f108d230a0a73c6f3c3af613e7860f |
| SHA256 | 5e90cabba004a1df052789af0db4d3becb1c104789d5b4418db6c1800dc65e94 |
| SHA512 | ef48f5f708d1cd27681484085599b91d1caf85b35a17d709be8c4f2477ef60e8f2c93ba437efadc118301a708ab6fad8775f5d43aedba9954ad4151a8812d934 |
memory/1240-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1240-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2372-37-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2844-38-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/2704-39-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/1240-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2704-43-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/1240-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2844-45-0x0000000002B10000-0x0000000002B50000-memory.dmp
memory/2844-46-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/2704-47-0x0000000002A00000-0x0000000002A40000-memory.dmp
memory/1240-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2844-48-0x0000000002B10000-0x0000000002B50000-memory.dmp
memory/1240-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2844-50-0x0000000002B10000-0x0000000002B50000-memory.dmp
memory/1240-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2704-40-0x0000000002A00000-0x0000000002A40000-memory.dmp
memory/2704-51-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/2844-52-0x000000006F810000-0x000000006FDBB000-memory.dmp
memory/1240-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1996-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1996-65-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1996-69-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1996-71-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2228-70-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1996-77-0x0000000000400000-0x0000000000478000-memory.dmp
memory/596-79-0x0000000000400000-0x0000000000424000-memory.dmp
memory/596-81-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2228-82-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2228-78-0x0000000000400000-0x0000000000457000-memory.dmp
memory/596-74-0x0000000000400000-0x0000000000424000-memory.dmp
memory/596-83-0x0000000000400000-0x0000000000424000-memory.dmp
memory/596-84-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1996-89-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tkjjgleykyvuktzpzkrzbz
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1240-91-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1240-94-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1240-95-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1240-96-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2228-97-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1240-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-102-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1240-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1240-106-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 11:03
Reported
2024-02-15 11:05
Platform
win10v2004-20231222-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 116 set thread context of 3160 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 3160 set thread context of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 3160 set thread context of 1004 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
| PID 3160 set thread context of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
"C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TQbZIZmgTPXQc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TQbZIZmgTPXQc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
"C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\onpzlviky"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\onpzlviky"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\etchk"
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe
C:\Users\Admin\AppData\Local\Temp\PO-2143224.exe /stext "C:\Users\Admin\AppData\Local\Temp\urxokknposotwvfagmgjvysyxhegppaqu"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| CA | 198.27.121.194:2024 | tcp | |
| US | 8.8.8.8:53 | 194.121.27.198.in-addr.arpa | udp |
| CA | 198.27.121.194:2024 | tcp | |
| CA | 198.27.121.194:2024 | tcp | |
| CA | 198.27.121.194:2024 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/116-0-0x00000000001C0000-0x000000000029E000-memory.dmp
memory/116-1-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/116-2-0x0000000005360000-0x0000000005904000-memory.dmp
memory/116-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp
memory/116-4-0x0000000004F90000-0x0000000004FA0000-memory.dmp
memory/116-5-0x0000000004C90000-0x0000000004C9A000-memory.dmp
memory/116-6-0x0000000004FA0000-0x000000000503C000-memory.dmp
memory/116-7-0x0000000004E20000-0x0000000004E32000-memory.dmp
memory/116-8-0x0000000004E40000-0x0000000004E52000-memory.dmp
memory/116-9-0x0000000007AB0000-0x0000000007B70000-memory.dmp
memory/116-10-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/116-11-0x0000000004F90000-0x0000000004FA0000-memory.dmp
memory/2912-16-0x0000000004A20000-0x0000000004A56000-memory.dmp
memory/2912-17-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/2912-18-0x0000000005090000-0x00000000056B8000-memory.dmp
memory/2912-19-0x0000000002640000-0x0000000002650000-memory.dmp
memory/3176-22-0x0000000005620000-0x0000000005630000-memory.dmp
memory/3176-24-0x0000000005910000-0x0000000005932000-memory.dmp
memory/2912-23-0x0000000002640000-0x0000000002650000-memory.dmp
memory/3160-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-28-0x0000000006300000-0x0000000006366000-memory.dmp
memory/3160-36-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_az34jf1g.knx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3160-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/116-42-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/2912-41-0x0000000005A30000-0x0000000005D84000-memory.dmp
memory/3160-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-55-0x00000000068D0000-0x00000000068EE000-memory.dmp
memory/3176-57-0x0000000006EC0000-0x0000000006F0C000-memory.dmp
memory/3160-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-26-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2912-25-0x00000000058E0000-0x0000000005946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp
| MD5 | 94e27db60ec9db4a0aa5fb5dce813752 |
| SHA1 | a9d549f00a3fd73acd300abe1889849528a4605c |
| SHA256 | c4ebf6fcc047faef8a7d023cefcc4696936649fbfd9037854abb2a635646c362 |
| SHA512 | f1a1c0a328773065664c39f9609cb938c8351bb978560b5e53769fae833ec9e9c9951e65acd6ddc4ab8f5ec2228026dc1be8725a02c84373a8e761572ae9db6d |
memory/3176-20-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/2912-59-0x0000000072E60000-0x0000000072EAC000-memory.dmp
memory/2912-70-0x0000000006F30000-0x0000000006F4E000-memory.dmp
memory/2912-72-0x000000007F6E0000-0x000000007F6F0000-memory.dmp
memory/3176-83-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2912-85-0x0000000002640000-0x0000000002650000-memory.dmp
memory/3176-84-0x00000000078E0000-0x0000000007983000-memory.dmp
memory/3160-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-86-0x0000000005620000-0x0000000005630000-memory.dmp
memory/3160-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-91-0x0000000007C00000-0x0000000007C1A000-memory.dmp
memory/3160-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-94-0x0000000007C70000-0x0000000007C7A000-memory.dmp
memory/3176-90-0x0000000008240000-0x00000000088BA000-memory.dmp
memory/3176-60-0x000000007FC40000-0x000000007FC50000-memory.dmp
memory/3176-71-0x0000000072E60000-0x0000000072EAC000-memory.dmp
memory/3176-58-0x00000000078A0000-0x00000000078D2000-memory.dmp
memory/2912-95-0x0000000007570000-0x0000000007606000-memory.dmp
memory/3176-96-0x0000000007E00000-0x0000000007E11000-memory.dmp
memory/3160-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2912-100-0x0000000007520000-0x000000000752E000-memory.dmp
memory/2912-102-0x0000000007630000-0x000000000764A000-memory.dmp
memory/2912-101-0x0000000007530000-0x0000000007544000-memory.dmp
memory/2912-103-0x0000000007610000-0x0000000007618000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3160-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3176-109-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/2912-110-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80d28c22297c5bc2b1f6986fc15ba7a6 |
| SHA1 | 32ec74aa9d6cd55f1db1394d70a2cf9ebf0e66be |
| SHA256 | 0e29b9822e07272b13f9fc7ef165e9530f3ee243f0234996600909a659d219bd |
| SHA512 | bee2a1ae8b8a4c4a97001fc143750b652a727a987695fb1e766c3ad993dbb974509d8ece722156c7b9341cc942cb1a920580a78f2637707e0f605a98bb7f0581 |
memory/3964-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1004-113-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3964-116-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1392-119-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1004-117-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3964-120-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1004-125-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1392-127-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1392-130-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1392-131-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1004-128-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3964-133-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3160-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-142-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3160-140-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3160-139-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3160-138-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3160-135-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\urxokknposotwvfagmgjvysyxhegppaqu
| MD5 | 9d1c4331e92ea47959e79f26ca09d973 |
| SHA1 | f8baa65953243feba3299fbaa7af110fbc7011b2 |
| SHA256 | ffddf68859952ecc2a486189ef0b15519f898d4d1ba04f6555264714b2d9108f |
| SHA512 | 76cc4cfa6a89d69035c0539294a5903f5b9b01314aaa2ffef7ccc6a5cdc163bf2336fa98e6f5406510b74c8da8bf5cbac5c55718df58f3b082b7fe8f8dda3daf |
memory/3160-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-145-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-146-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-147-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-148-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3160-149-0x0000000000400000-0x0000000000482000-memory.dmp